From 1bc2872ee6250b50d2ccedd9816007919bcdad9c Mon Sep 17 00:00:00 2001 From: Chao Chen Date: Thu, 23 Feb 2023 14:29:54 -0800 Subject: [PATCH] migration auth tests to common #5 Signed-off-by: Chao Chen --- tests/common/auth_test.go | 68 +++++++++++++++++++++++++++++++++-- tests/e2e/ctl_v3_auth_test.go | 64 --------------------------------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/tests/common/auth_test.go b/tests/common/auth_test.go index 31715660d818..a666142d639f 100644 --- a/tests/common/auth_test.go +++ b/tests/common/auth_test.go @@ -32,8 +32,11 @@ var defaultAuthToken = fmt.Sprintf("jwt,pub-key=%s,priv-key=%s,sign-method=RS256 mustAbsPath("../fixtures/server.crt"), mustAbsPath("../fixtures/server.key.insecure")) const ( - PermissionDenied = "etcdserver: permission denied" - AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password" + PermissionDenied = "etcdserver: permission denied" + AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password" + InvalidAuthManagement = "etcdserver: invalid auth management" + + testPeerURL = "http://localhost:20011" ) func TestAuthEnable(t *testing.T) { @@ -475,6 +478,67 @@ func TestAuthRevokeWithDelete(t *testing.T) { }) } +func TestAuthMemberAdd(t *testing.T) { + testRunner.BeforeTest(t) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1})) + defer clus.Close() + cc := testutils.MustClient(clus.Client()) + testutils.ExecuteUntil(ctx, t, func() { + require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth") + rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword))) + testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword))) + _, err := testUserAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL}) + require.ErrorContains(t, err, PermissionDenied) + _, err = rootAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL}) + require.NoError(t, err) + }) +} + +func TestAuthMemberRemove(t *testing.T) { + testRunner.BeforeTest(t) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + clusterSize := 2 + clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: clusterSize})) + defer clus.Close() + cc := testutils.MustClient(clus.Client()) + testutils.ExecuteUntil(ctx, t, func() { + require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth") + rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword))) + testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword))) + + memberId, clusterId := memberToRemove(ctx, t, rootAuthClient, clusterSize) + + // ordinary user cannot remove a member + _, err := testUserAuthClient.MemberRemove(ctx, memberId) + require.ErrorContains(t, err, PermissionDenied) + + // root can remove a member + removeResp, err := rootAuthClient.MemberRemove(ctx, memberId) + require.NoError(t, err, "MemberRemove failed") + require.Equal(t, removeResp.Header.ClusterId, clusterId) + }) +} + +func TestAuthTestInvalidMgmt(t *testing.T) { + testRunner.BeforeTest(t) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1})) + defer clus.Close() + cc := testutils.MustClient(clus.Client()) + testutils.ExecuteUntil(ctx, t, func() { + require.NoErrorf(t, setupAuth(cc, []authRole{}, []authUser{rootUser}), "failed to enable auth") + rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword))) + _, err := rootAuthClient.UserDelete(ctx, rootUserName) + require.ErrorContains(t, err, InvalidAuthManagement) + _, err = rootAuthClient.UserRevokeRole(ctx, rootUserName, rootRoleName) + require.ErrorContains(t, err, InvalidAuthManagement) + }) +} + func mustAbsPath(path string) string { abs, err := filepath.Abs(path) if err != nil { diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go index c9fd89ce877c..ac60cb106a18 100644 --- a/tests/e2e/ctl_v3_auth_test.go +++ b/tests/e2e/ctl_v3_auth_test.go @@ -27,12 +27,7 @@ import ( "go.etcd.io/etcd/tests/v3/framework/e2e" ) -func TestCtlV3AuthMemberAdd(t *testing.T) { testCtl(t, authTestMemberAdd) } -func TestCtlV3AuthMemberRemove(t *testing.T) { - testCtl(t, authTestMemberRemove, withQuorum(), withDisableStrictReconfig()) -} func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) } -func TestCtlV3AuthInvalidMgmt(t *testing.T) { testCtl(t, authTestInvalidMgmt) } func TestCtlV3AuthFromKeyPerm(t *testing.T) { testCtl(t, authTestFromKeyPerm) } func TestCtlV3AuthAndWatch(t *testing.T) { testCtl(t, authTestWatch) } func TestCtlV3AuthAndWatchJWT(t *testing.T) { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) } @@ -104,51 +99,6 @@ func authSetupTestUser(cx ctlCtx) { } } -func authTestMemberAdd(cx ctlCtx) { - if err := authEnable(cx); err != nil { - cx.t.Fatal(err) - } - - cx.user, cx.pass = "root", "root" - authSetupTestUser(cx) - - peerURL := fmt.Sprintf("http://localhost:%d", e2e.EtcdProcessBasePort+11) - // ordinary user cannot add a new member - cx.user, cx.pass = "test-user", "pass" - if err := ctlV3MemberAdd(cx, peerURL, false); err == nil { - cx.t.Fatalf("ordinary user must not be allowed to add a member") - } - - // root can add a new member - cx.user, cx.pass = "root", "root" - if err := ctlV3MemberAdd(cx, peerURL, false); err != nil { - cx.t.Fatal(err) - } -} - -func authTestMemberRemove(cx ctlCtx) { - if err := authEnable(cx); err != nil { - cx.t.Fatal(err) - } - - cx.user, cx.pass = "root", "root" - authSetupTestUser(cx) - - ep, memIDToRemove, clusterID := cx.memberToRemove() - - // ordinary user cannot remove a member - cx.user, cx.pass = "test-user", "pass" - if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err == nil { - cx.t.Fatalf("ordinary user must not be allowed to remove a member") - } - - // root can remove a member - cx.user, cx.pass = "root", "root" - if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err != nil { - cx.t.Fatal(err) - } -} - func authTestMemberUpdate(cx ctlCtx) { if err := authEnable(cx); err != nil { cx.t.Fatal(err) @@ -210,20 +160,6 @@ func authTestCertCN(cx ctlCtx) { require.ErrorContains(cx.t, err, "permission denied") } -func authTestInvalidMgmt(cx ctlCtx) { - if err := authEnable(cx); err != nil { - cx.t.Fatal(err) - } - - if err := ctlV3Role(cx, []string{"delete", "root"}, "Error: etcdserver: invalid auth management"); err == nil { - cx.t.Fatal("deleting the role root must not be allowed") - } - - if err := ctlV3User(cx, []string{"revoke-role", "root", "root"}, "Error: etcdserver: invalid auth management", []string{}); err == nil { - cx.t.Fatal("revoking the role root from the user root must not be allowed") - } -} - func authTestFromKeyPerm(cx ctlCtx) { if err := authEnable(cx); err != nil { cx.t.Fatal(err)